As companies aim to keep pace with an ever-expanding privacy regime, the question of how they should meet new privacy compliance requirements is a hot topic. Privacy managers and counsel are faced with the following options: Should they apply a uniform standard across all jurisdictions, adopt an individualized approach to each jurisdiction or adopt a combination of standard practices with a “lift, shift and drop” for individual requirements?
Why is a uniform approach difficult?
While a uniform approach may present economies of scale at first glance, practitioners posit this is not the case due to continuous changes in the law and the fluid nature of data flows. Given the pace of development in the former, businesses are now required to allocate different resources to track whether new laws govern their data flows.
Arguably, the privacy landscape is a complex one because it is multijurisdictional. As data is collected and transmitted across several borders, the rights and obligations of different stakeholders are governed by laws of more than a single jurisdiction. Before the EU General Data Protection Regulation, establishments in the United States looked at federal privacy rules related to the subject matter of their businesses (with specific attention to financial, medical and children’s privacy) and legislation in the states where they had a presence.
The GDPR shifted focus to the data subject by extending its territorial scope to U.S. companies and organizations that controlled or processed data of EU residents, requiring these entities pay special attention to the geographic location of their data subjects. Enforceable standards for data processing, data subject rights, security breaches and international transfers were introduced. As many U.S. companies made changes to adhere to these standards, they were required to review their privacy policies again to meet the requirements of a piece of legislation closer to home – the California Consumer Privacy Act. The CCPA’s territorial scope, like the GDPR, is extra territorial in nature and applies to "for-profit entities" that meet certain thresholds and have California residents as data subjects.
During this process, it became apparent to privacy managers the CCPA had compliance requirements that varied from GDPR requirements and therefore some individualization was required. In 2020, the California Privacy Rights Act amended the CCPA framework further, with a new right of correction and further restrictions on sensitive personal information. Just as this dust settled, Virginia’s Consumer Data Protection Act was introduced and passed March 2, 2021. Like the CCPA and GDPR, the CDPA is data subject-centric and applies to businesses (with certain thresholds) with data subjects residing in Virginia.
The CDPA also incorporates opt-outs distinct from those required by GDPR and CCPA. On the heels of the CDPA, the Colorado legislature passed the Colorado Privacy Act early June, and there is some speculation as to which states will pass privacy legislation in the upcoming months. Businesses with data subjects in these jurisdictions will be required to review and revise their policies again. The IAPP’s privacy law tracker helps monitor updates in state legislation. This constant revision of applicable laws and their obligations on organizations makes it difficult for organizations to streamline their processes completely.
How are businesses dealing with these changes?
Practitioners and privacy managers recommend taking a proactive, not reactive, approach to new laws. Preparation entails setting up a framework to identify common principles and resources an entity would have at its disposal towards a comprehensive compliance program.
The entity would then decide whether to adopt a jurisdiction-by-jurisdiction approach, where companies build out separate programs for each jurisdiction it is governed by, or whether it would utilize a “lift, shift and drop” strategy where commonalities of the various compliance requirements are identified, and unique requirements are “lifted, shifted and dropped” for individualized needs. This decision is based on the following considerations:
- The data collected, its type, where it is stored and where it is going. Privacy managers suggest the data mapping process be the first step of privacy program rollouts. Best practice recommendations include continuously evolving this process and monitoring for data substance and changes in the law.
- The technology used to collect, control, and process the data and the lifecycle of the products of the company, as well as its privacy by design processes. The main consideration is whether retroactive changes would be more difficult to implement than new privacy by design controls. Best practice recommendations for incorporating retroactive changes include early communication with product development teams, and when applicable, including security teams into the conversation to pre-empt the duplication of efforts.
- The laws governing the business, determined by the where the company has its presence and where its data subjects reside. The number of jurisdictions with comprehensive laws, the enforceability of these laws by the state, or individuals’ private right of action are considerations that drive strategy. Industry standards interpreting the laws may also have a practical implication on how compliance is implemented.
- The company itself — its resources, key stakeholders and responsibilities, the company's culture, and the importance a privacy program is given are key in driving strategy. Buy-ins at the c-suite level and resource allocation towards a privacy program are perhaps the strongest influencers of privacy strategy.
- Finally, the costs of a breach — direct costs are categorized as investigative, communications, remediation and operational costs. Arguably, indirect costs, including reputational risk, customer expectations, contractual obligations and revenue impact, would play a stronger role in driving a company’s privacy strategy.
Privacy framework tools
In the backdrop of new laws and strategies, some frameworks provide privacy managers with guidance. Some of these tools include:
- The Generally Accepted Privacy Principles, a 2006, pre-GDPR privacy framework developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, outlines ten privacy principles. The more recent and widely accepted International Organization for Standardization’s 2017 "Information technology — Security techniques —Privacy framework," ISO/IEC 29100:2011 establishes the following updated privacy principles: consent and choice; purpose, legitimacy and specification; collection limitation; data minimization; use, retention and disclosure limitation; accuracy and quality; openness, transparency and notice; individual participation and access; accountability; information security; and privacy compliance. The ISO/IEC 29100:2011 also aims to specify common privacy terminology, define actors and their roles in processing personally identifiable information, and describe privacy safeguards.
- "The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management," published by the National Institute for Standards and Technology January 16, 2020 is a “how to guide” for privacy managers, outlining steps to develop privacy compliance policies and programs. These steps are largely categorized as: identify, govern, control, communicate and protect. This tool also highlights structured components to these steps, and response approaches to privacy risks and a set of examples on how the framework could be used.
The case for standardization of the law
Arguments for standardizing local and international privacy laws span the history of technology law. In a 2001 article, former U.S. FTC Commissioner Sheila F. Anthony argued standard privacy policy formats would more effectively communicate to consumers their content, much like the way standardized labels in the food and energy sectors communicated complex information to their consumers. The authors of a recent IAPP article discussed the benefits of a global privacy framework while recognizing the challenges that need to be overcome to develop such a framework. Until standardization is realized within the United States (perhaps through federal legislation) and globally, organizations and businesses will be required to incorporate some of the privacy strategies discussed above. A standardized approach would indeed reduce the uncertainty fostered by the changing nature of the privacy landscape.
Photo by Ash Edmonds on Unsplash